1Password SSH-Agent + Pageant on Windows 10

1Password is a great password manager. For a little less than a year 1Password can act as your ssh-agent, meaning that you only need to store the public keys locally, the private key comes from 1Password itself. There are a few things to note and set up if you are on Windows.

I hope this post will help people interested but somewhat bewildered by some parts to get it to run and understand the relevant bits and bops.

Please note that this post assumes that you already have Windows’ own version of the OpenSSH client installed and possibly updated to a newer version. I also assume that you have already imported at least one SSH key pair (public/private key) into 1Password (under the SSH Key type).

Windows Hello

A requirement for 1Password’s ssh-agent is that you have Windows Hello enabled. The documentation on 1Password’s end makes it sound like you need a Windows Hello-compatible webcam or some kind of fingerprint sensor or whatnot.

This is not true, you can also use a simple PIN as your 2nd factor. This is easily set up via Windows 10’s Settings – Accounts – Sign-in options.

Disabling Windows’ SSH Agent

Open the Computer Management, browse to the services and ensure that, if it is present, the “OpenSSH Authentication Agent” is disabled.

This is required because the ssh-agent on Windows is published through a pipe. If the OpenSSH Authentication Agent is running, the pipe is already present – causing an issue with 1Password trying to fill that role.

Enabling 1Password SSH Agent

Within 1Password’s desktop client, go to the settings – Security and enable “Unlock using Windows Hello” as well as “Show Windows Hello prompt automatically”.

Now switch to the Developer tab and tick the box “Use the SSH agent”.

Configuring the SSH Client

For the sake of argument, let us assume that you have a dedicated ssh key for communicating with GitHub and that you already imported that ssh key into 1Password.

How do we get the Windows-version of the OpenSSH client to use the agent for this?

Edit your ~/.ssh/config file and generally enable the agent:

Host *
  IdentityAgent //./pipe/openssh-ssh-agent

We want to specify the exact key to use for GitHub, though. So let’s return to 1Password, select the public key of your ssh key and save it locally. Move the file to your ~/.ssh directory and rename it (i.e. id_ed25519_github.pub).

Edit the ~/.ssh/config file again and add/alter an entry for GitHub:

Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519_github.pub
  IdentityAgent //./pipe/openssh-ssh-agent
  IdentitiesOnly yes

Save the configuration. If you still have your pair of pubkey/privkey in the ~/.ssh directory, move it aside for a test. By instructing the use of the id_ed25519_github.pub, 1Password will look up the matching ssh key from it’s archive.

Otherwise, like other ssh-agents, it would try several keys. We do not want this.

Now you should be able to connect to GitHub via ssh and have 1Password provide the proper key:

ssh -T git@github.com

If you see the input field for your Windows Hello pin, things should be peachy:

Hi XXXXXXXX! You've successfully authenticated, but GitHub does not provide shell access.

Sweet stuff! You should also be able to check the contents of your 1Password ssh key archive:

ssh-add -l

Even better!

Git

Git for Windows ships with its own copy of ssh. We need to make sure the Windows version of the OpenSSH client is being used. So, as per documentation, we explicitly set the path to the ssh client:

git config --global core.sshCommand "C:/Windows/System32/OpenSSH/ssh.exe"

If you have downloaded a newer version of the Windows-version of the OpenSSH client, point it to the appropriate executable.

Pageant

But what about applications that use Putty’s Pageant? Having two instances provide keys is not what we want.

Thankfully, WinSSH-Pageant is able to bridge between the two tools. Simply install WinSSH-Pageant, make sure to close Putty’s Pageant and… well, that’s it.

If you use WinSCP or other software using Putty’s components, WinSSH-Pageant should relay the agent requests to 1Password, meaning that the Windows Hello PIN will be prompted and keys will be delivered from 1Password’s archive.